HITRUST comments that harmonization through public and private industry partnership requires appropriate assurance for consistent outcomes
FRISCO, Texas, October 30, 2023
HITRUST, the information risk management, standards, and certification body, today submitted comments in response to the White House Request for Information (RFI) on Cyber Regulatory Harmonization.
The Office of the National Cyber Director (ONCD) invited public comments to identify opportunities and challenges to harmonize cybersecurity regulations for critical infrastructure. The RFI aims to create a harmonization framework that represents reciprocity of baseline cyber requirements that are aligned across all critical infrastructure sectors. Harmonization—which the RFI defines as, “a common set of updated baseline regulatory requirements that would apply across sectors”—is a complex, yet achievable undertaking.
Since its founding in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for organizations in the healthcare and public health (HPH) sector, other critical and non-critical industries, and throughout the third-party supply chain in both the U.S. and internationally. Practical and achievable harmonization is fundamental to HITRUST, and the HITRUST CSF is continuously updated with more than 40 authoritative sources, including National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, NIST SP 800-171, International Standards Organization and International Electrotechnical Commission (ISO/IEC) Standard 27001 (ISO/IEC 27001), and Health Insurance Portability and Accountability Act (HIPAA) security requirements.
HITRUST provided feedback to questions on the opportunities and challenges to harmonize cybersecurity regulations based on its 15+ years of experience supporting, reviewing, and certifying thousands of security assessments for healthcare and other critical infrastructure sectors.
“While voluntary approaches to securing critical infrastructure have resulted in measurable improvement, they have not proven consistent across all critical infrastructure sectors or even within them,” said Robert Booker, Chief Strategy Officer, HITRUST. “
HITRUST’s experiences, and those of the hundreds of security assessor firms with whom we work, demonstrate that the issue for cyber harmonization is not the standards and regulations alone. We suggest that high-quality, robust, and consistent assurance mechanisms are equally important, if not more important, to achieving adequate and consistent cybersecurity outcomes for all security regulations. Outcomes are only achieved where results are evaluated and measured.” HITRUST’s experience suggests that a harmonization framework requires:
- Approaches where accepted best practices are aligned with reliable assurances
- Reciprocity, including reliance on private sector assurances as a critical component of effective harmonization
- Accreditation of third-party assessors involved in cybersecurity assurance supported by an established and transparent quality system
- Reliance expectations that include transparency, scalability, consistency, accuracy, and integrity
“Quality and transparency from companies issuing security certifications is essential to achieving the stated goals of harmonization and are the foundation of HITRUST assurances,” said Booker. “The benefits of cybersecurity from a harmonized framework must include mechanisms for practical implementation, controls to be selected and specifically applied, and implementation maturity to be transparently scored.”